Malware Scanning Moves to the Cloud

Anti-malware software has long been viewed as a necessarily evil, as in, necessary and
evil to have on your machine.

It's necessary because without it, your computer could become an infected mess, a
zombie on a botnet (define)
spewing out spam and running as slow as a 386 by today's standards.

It's also evil because while spyware and malware can slow your computer to a crawl, AV
software isn't a whole lot better. The only better productivity-killer than Flash games
on the Web is a full system scan running in the background.

To alleviate some of this stress, antivirus vendors have taken to moving some of the
processing of suspected malware to the Internet "cloud." Trend Micro launched such a service,
called Smart Protection Network, this past June and has new products that build on that
technology planned for release later this week. Now both F-Secure and McAfee are
launching similar efforts.

They all use roughly the same approach: when a suspicious URL or file first appears
anywhere in the world, whether it's on a person's computer or attached to an e-mail, a
hash (define)
is taken and compared against its databases of known malware, white lists and black
lists. If the file exhibits questionable behavior or traits, it is flagged as dangerous
and all customers are thereafter protected because the file is recognized, even if its
malicious payload is not fully identified.

The usual trend these days is to get in a piece of malware, examine it, and issue an
update to the antivirus software signature file, which can take a day or more. In that
time, a lot of damage can be done. These instant fixes push out a fix within seconds of
the malware arriving on the antivirus vendor's network.

Such expedience is needed. Peter Firstbrook, a security researcher for Gartner said
that we are on track for five million pieces of malware in 2008, whereas in 1998, the
full year saw just 1,700 pieces of new malware.

The idea is to cut zero-day threats, threats where there is no known fix or cure, down
to 1 minute threats that are recognized as soon as they show up, said David Marcus,
security research and communications manager at McAfee's (NYSE: MFE) Avert Labs.

"It's almost the equivalent of being a first responder," he told
InternetNews.com. "It allows us to say we don't know what it is, but we've
identified something suspicious going on, let's take it into the cloud, compare to larger
black list, and make a fix. It lets us close a huge protection gap between when it's
found, when it's analyzed, when it has protection written against it and when its sent
out, which is usually the next day after it's found."

Once the malware has a quick fix in place, engineers at the firms perform a closer
examination without having to rush out a fix, and it is eventually identified and given a
name.

F-Secure's service is known as DeepGuard and offered as part of its new Wellbeing 2009
suite of security software. McAfee's service is called Artemis and is a part of McAfee
Total Protection Service for small and medium-sized businesses. It will also be a part of
McAfee VirusScan Enterprise and McAfee's consumer products later this month.

The goal is to take the load off the end user's computer, since they are already
getting two or three signature updates a day already, and at the same time greatly
increase the database of bad software out there.

As big as the definitions files are, with hundreds of thousands of entries, Marcus
said McAfee gets far more data per day than it would ever want to put on an end user's
computer.

"It gets to the point of how much of a load do you want to put on the end point?" he
said "We have access to more info in the cloud than we would ever put on the customer
machine and we're always adding to that list."

Long term, it could allow McAfee to take the load off the end user by putting only
necessary signature files on the computer. When a virus scan is done, each file has to be
compared against all of the signatures in the database, and that can get very slow given
the size of signature databases today.

Firstbrook said the solutions are good in the short-term but don't solve the overall
problem. "It's not game changing. They've gained a little scalability, and they needed to
do that. But they've won the battle and are losing the war because the bad guys are
always keeping ahead of them," he said.

His preference is for locking down the system in a known good configuration and white
listing known good applications, but that, he notes, is a ways off, too. "I tried to
install 'Google' Chrome and Kaspersky Antivirus blocked it immediately. iTunes constantly
asks me to update, and I have no idea what it will do. I've totally lost control of my
system," he said.